Po Ransomware
The Po Ransomware is a variant from the infamous Dharma malware family. Cybercriminals can utilize the threat to lock the data of their victims. Ransomware threats are designed specifically to encrypt important files, such as documents, PDFs, archives, databases, photos, etc. The affected data is then exploited by the attackers as a way to extort money from their victims.
The Po Ransomware follows the typical behavior associated with Dharma variants. It modifies the names of the locked files by attaching an ID string, an email, and a new file extension to them. The email address added to the file names is 'recovery2022@tutanota.com,' while the file extension is '.Po.' The threat also will drop two ransom notes on the infected systems.
One of the ransom-demanding messages will be delivered as a text file named 'info.txt.' The instructions inside the file are extremely brief and mostly concern telling users to contact the attackers by messaging their two email addresses - 'recovery2022@tutanota.com' or 'mr.helper@gmx.com.' A longer ransom note will be displayed in a newly created pop-up window. Here, the threat will reiterate that victims must establish contact with cybercriminals. However, the note also contains numerous warnings, telling users not to rename the encrypted files or try to restore them with third-party tools, as doing so could cause permanent damage.
The message found inside the text file is:
'all your data has been locked us
You want to return?
write email recovery2022@tutanota.com or mr.helper@gmx.com'
The pop-up window displays the following note:
'YOUR FILES ARE ENCRYPTED
1024
Don't worry, you can return all your files!
If you want to restore them, write to the mail: recovery2022@tutanota.com YOUR ID -
If you have not answered by mail within 12 hours, write to us by another mail:mr.helper@gmx.com
ATTENTION!
We recommend you contact us directly to avoid overpaying agents
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'
